Kazuma Matsumoto

A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.

**Name of the Vulnerable Software and Affected Versions** AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.15 **Description** The AI Chatbot & Workflow Automation by AIWU plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping involving the `X-Forwarded-For` header. Unauthenticated attackers can inject arbitrary web scripts into pages, which then execute when a user accesses the affected page. Practical exploitation is limited by a 20-character storage limit. **Recommendations** Update to a version later than 1.4.14.

**Name of the Vulnerable Software and Affected Versions** Continually versions prior to 4.3.2 **Description** The Continually plugin for WordPress contains a Stored Cross-Site Scripting issue in the admin settings caused by insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the affected page. This issue specifically impacts multi-site installations and environments where `unfiltered html` has been disabled. **Recommendations** Update to a version later than 4.3.1.

**Name of the Vulnerable Software and Affected Versions** FastBots versions prior to 1.0.13 **Description** The FastBots plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping in admin settings. This allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the affected page. This issue specifically impacts multi-site installations and environments where `unfiltered html` has been disabled. **Recommendations** Update to a version later than 1.0.12. As a temporary mitigation, restrict access to the admin settings or ensure `unfiltered html` is managed according to security best practices.

**Name of the Vulnerable Software and Affected Versions** AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.18 **Description** The AI Chatbot & Workflow Automation by AIWU plugin for WordPress contains a flaw allowing unauthenticated attackers to append additional SQL queries to existing ones. This is caused by insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query within the `getListForTbl()` function. This can lead to the extraction of sensitive information from the database. SQL Injection is a technique where an attacker inserts malicious SQL code into a query to manipulate the database. **Recommendations** Update to a version later than 1.4.17. As a temporary workaround, restrict access to the `getListForTbl()` function.

**Name of the Vulnerable Software and Affected Versions** barebox versions prior to 2026.04.0 **Description** An out-of-bounds read exists in the ext4 extent parsing process due to missing validation of the `eh entries` field against buffer capacity within the `fs/ext4/ext4 common.c` file. An attacker can trigger heap out-of-bounds reads during boot-time filesystem parsing by providing a malicious ext4 filesystem image via USB, SD card, or network boot, which may allow redirecting reads to arbitrary disk offsets. **Recommendations** Update to version 2026.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** barebox versions prior to 2026.04.0 **Description** An out-of-bounds read occurs during DHCP option parsing within the `dhcp message type()` function because the software fails to verify that the options pointer remains within the received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet lacking a proper 0xff end marker, causing the parser to read past valid packet data and potentially crash the system. **Recommendations** Update to version 2026.04.0 or later. As a temporary workaround, restrict access to the network broadcast domain to minimize the risk of receiving crafted DHCP packets.

**Name of the Vulnerable Software and Affected Versions** barebox versions prior to 2026.04.0 **Description** A denial-of-service issue exists in the ext4 directory parsing within `fs/ext4/ext4 common.c`. The `ext4fs iterate dir()` function does not validate that directory entry length values are non-zero. An attacker can provide a malicious ext4 filesystem image containing a crafted directory entry with a `direntlen` value of 0, triggering an infinite loop during path resolution or directory listing, which causes the boot process to hang indefinitely. **Recommendations** Update to version 2026.04.0.

**Name of the Vulnerable Software and Affected Versions** barebox versions prior to 2026.04.0 **Description** Multiple memory-safety issues exist in the EFI PE loader within the `efi/loader/pe.c` file. An integer overflow occurs during virtual image size computation when using 32-bit arithmetic on section `VirtualAddress` and size values, leading to undersized heap allocation. Additionally, the PE section loading logic does not validate if `PointerToRawData` plus the copied size stays within the PE file buffer. An attacker can provide a malicious EFI PE binary through TFTP, USB, SD card, or network boot to trigger a heap buffer overflow or an out-of-bounds read from heap memory, which could allow code execution in the bootloader context. **Recommendations** Update to version 2026.04.0.

**Name of the Vulnerable Software and Affected Versions** AVACAST (affected versions not specified) **Description** AVACAST contains an unquoted service path issue. This allows privileged local attackers to place a malicious executable file in a specific directory, leading to arbitrary code execution with system privileges when the AVACAST service starts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AVACAST (affected versions not specified) **Description** AVACAST contains a DLL Hijacking flaw that allows authenticated local attackers to place a malicious DLL in a specific directory. This can lead to arbitrary code execution with system privileges when the system loads the DLL. DLL Hijacking is a technique where an application is tricked into loading a malicious library instead of the intended one. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LLMs.txt plugin for WordPress versions prior to 8.2.7 **Description** The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in admin settings. Authenticated attackers with administrator-level permissions or higher can inject arbitrary web scripts into pages. These scripts execute when a user accesses the affected page. This issue specifically impacts multi-site installations and environments where `unfiltered html` has been disabled. **Recommendations** Update the plugin to a version later than 8.2.6.

**Name of the Vulnerable Software and Affected Versions** LLMs.txt plugin for WordPress versions prior to 8.2.7 **Description** Reflected Cross-Site Scripting is possible via the 'tab' parameter. The issue arises from the use of filter input() without a sanitization filter and insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into pages that execute if an administrator is tricked into clicking a link. **Recommendations** Update the plugin to a version later than 8.2.6. Avoid using the `tab` parameter in the affected plugin until the update is applied.

**Name of the Vulnerable Software and Affected Versions** miniupnpd (affected versions not specified) **Description** An integer underflow exists in the parsing of the 'SOAPAction' header. Remote attackers can cause a denial of service or information disclosure by sending a malformed 'SOAPAction' header containing a single quote. This occurs due to improper length validation in the `ParseHttpHeaders()` function, where the parsed length underflows to a large unsigned value when passed to `memchr()`, leading to an out-of-bounds memory read as the process scans memory beyond the allocated HTTP request buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcoap (affected versions not specified) **Description** An issue exists in the OSCORE Appendix B.2 CBOR unwrap handling where the function `get byte inc()` in src/oscore/oscore cbor.c relies exclusively on assert() for bounds checking. Since assert() is removed in release builds compiled with NDEBUG, attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation. This can trigger out-of-bounds reads during CBOR parsing and potentially lead to heap buffer overflow writes due to integer wraparound in the allocation size computation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Text to Speech for WP (AI Voices by Mementor) versions up to and including 1.9.8 Description The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress contains hardcoded MySQL database credentials for the vendor's external telemetry server within the `Mementor TTS Remote Telemetry` class. This allows unauthenticated attackers to extract and decode these credentials, potentially gaining unauthorized write access to the vendor's telemetry database. Recommendations Update the Text to Speech for WP (AI Voices by Mementor) plugin to a version later than 1.9.8.

**Name of the Vulnerable Software and Affected Versions** Truebooker versions 1.1.4 and earlier **Description** The Appointment Booking and Scheduler Plugin – Truebooker for WordPress is affected by a sensitive information exposure issue. Unauthenticated attackers may be able to view potentially sensitive information contained in exposed views php files through direct access. **Recommendations** Update Truebooker to a version later than 1.1.4.

**Name of the Vulnerable Software and Affected Versions** WP-Chatbot for Messenger plugin for WordPress versions prior to 4.9 **Description** The WP-Chatbot for Messenger plugin for WordPress is susceptible to an authorization bypass. The plugin does not adequately verify user authorization, allowing unauthenticated attackers to overwrite the site’s MobileMonkey API token and company ID options. Successful exploitation can lead to hijacking chatbot configuration and redirecting visitor conversations to an attacker-controlled MobileMonkey account. **Recommendations** Update the WP-Chatbot for Messenger plugin to a version newer than 4.9.

**Name of the Vulnerable Software and Affected Versions** Edimax GS-5008PL firmware versions prior to 1.00.54 **Description** The firmware stores credentials insecurely, allowing attackers to obtain administrator credentials by accessing configuration backup files. Attackers can download the `config.bin` file through the `/fupload.cgi` endpoint to extract plaintext username and password fields, enabling unauthorized administrative access. The `username` and `password` are stored in plaintext within the configuration file. **Recommendations** Update to a firmware version newer than 1.00.54.

**Name of the Vulnerable Software and Affected Versions** Edimax GS-5008PL firmware versions prior to 1.00.54 **Description** The Edimax GS-5008PL firmware contains a stored cross-site scripting issue in the `system name set.cgi` script. Attackers can inject arbitrary script code by manipulating the `sysName` parameter. A crafted POST request with a malicious script payload is sent, and the payload executes when management pages, including `system data.js`, are viewed by administrators. **Recommendations** Update the firmware to a version newer than 1.00.54.